In most physical information technology (IT) infrastructure, resource utilization is very low: 15% is not an uncommon utilization for a server, 5% for a desktop. It is known to try to address this by sharing a physical machine between different users. Typically in a utility data center there may be hundreds of machines networked and shared by many enterprises. Each enterprise may be running many applications to serve their own customers. Known operating systems can be used to time share the physical processing resources of the machines between the different enterprises. Various ways are known to abstract or hide the underlying physical resources from the applications run by the enterprises. Overlay networks are known and make it easy to change the network configuration, abstracting devices from the configuration of the real network.
Storage virtualisation is also known. There are many commercial storage virtualization products on the market from HP, IBM, EMC and others. These products are focused on managing the storage available to physical machines and increasing the utilization of storage.
Virtual machine technology is a known mechanism to run operating system instances on one physical machine independently of other operating system instances. It is known to have a single physical hosting machine running two or more virtual machines connected by a virtual network on this machine.
A virtual machine (VM) is a self-contained operating environment that emulates a hardware platform. It can run a “guest” operating system. A real operating system called a virtual machine manager (VMM) is run on the physical hardware platform. The VMM runs one or more VMs and can contain multiple virtual devices, one of which can be a virtual network interface card (VNIC). VMware is a known example of virtual machine technology, and can provide isolated environments for different operating system instances running on the same physical machine.
An example of a virtual network interface is described in “SoftUDC: A Software-Based Data Center for Utility Computing”, Kallahalla et al, Computer, November 2004, p 38-46. Virtual machines access networking via a virtual network interface (VIF), which mimics an Ethernet device. A virtual machine manager (VMM) forwards outbound network packets to its physical network interface and dispatches incoming network packets to appropriate VIFs. The VMM encapsulates the packet and sends it to another VMM or a virtual router on the same VNET. The receiving VMM unwraps the packet and delivers it to the target VM.
Network traffic from virtual machines is distributed to virtual interfaces via Ethernet bridging in a special virtual machine containing a kernel module. The kernel module uses the EtherIP protocol to encapsulate outbound Ethernet traffic destined for a VNET in an IP packet and forwards the packet to the network. The kernel module decapsulates inbound EtherIP traffic to produce an Ethernet frame, which it delivers to VIFs on its VNET. An EtherIP header field stores a packet's VNET identification for transport across the network.
If a VIF requires direct access to the physical network, the kernel module delivers its traffic to the network without encapsulation. Ethernet frames are encapsulated rather than IP traffic primarily because doing so allows virtual machines to use any network protocol transparently. In addition, handling the Ethernet frame is simpler than extracting an IP packet.
The kernel module must direct encapsulated VNET traffic to a suitable internet protocol (IP) address. This care-of address is based on the Ethernet frame and VNET destination media access control (MAC) address. If the MAC is a broadcast or multicast address, the care-of address is the local VNET multicast address. If the MAC is a unicast address, the care-of address is the real IP address of the machine hosting the addressed VIF.
A Virtual Address Resolution Protocol (VARP) is used to discover VIF care-of addresses, which can change during virtual machine migration. Broadcasting a VARP reply for all VIFs maintains network connectivity by updating the VARP caches of any systems communicating with the virtual machine.
US patent application 2004/0267866 shows a virtual machine sending an IP datagram to an IP destination address. A virtual machine manager in the form of a base portion for hosting many virtual machines has a virtual network interface manager which determines if the target IP address is associated with one of the other virtual machines hosted by the base portion. If so, a virtual switch is used to switch the IP datagram to the appropriate virtual network interface for that virtual machine. Otherwise, a virtual switch manager is used to pass the datagram for transmission over an external local area network (LAN).
In “Towards Automated Provisioning of Secure Virtualized Networks”, by Cabuk et al, November 2007, it is explained that a VMM can be hosted directly on the computer hardware (e.g., Xen) or within a host operating system (e.g., VMware). Today's virtual network implementations for VMMs are usually virtual switches or bridges that connect the virtual network cards of all VMs to the actual physical network card of the physical machine. All VMs can potentially see all traffic; hence, no isolation or other security guarantees can be given. While that level of security may be sufficient for individual and small enterprise purposes, it is certainly not sufficient for larger-scale, security-critical operations. This document proposes security-enhanced network virtualization, which (1) allows groups of related VMs running on separate physical machines to be connected together as though they were on their own separate network fabric, and (2) enforces cross-group security requirements such as isolation, confidentiality, integrity, and information flow control.
Related VMs (e.g., VMs belonging to the same customer in a data center) distributed across several physical machines, are grouped into virtual enclave networks, so that each group of VMs has the same protection as if the VMs were hosted on a separate physical LAN. If some VMs in a group are co-hosted on the same hardware; it is not necessary to involve the physical network during information flow between two such VMs.
A secure network virtualization framework helps realize the abstraction of Trusted Virtual Domains (TVDs) by guaranteeing reliable isolation and flow control between domain boundaries. The framework is based on existing and well-established network virtualization technologies such as Ethernet encapsulation, VLAN tagging, and virtual private networks (VPNs).